7 Cybersecurity Questions Every Company Should Be Able to Answer

January 8, 2019 | Blog | Patrick Daniel

In my advisory role, I see companies of all sizes asking IT and security executives what is being done to address cybersecurity at their companies. I have had the opportunity to work with a lot of companies, large and small, and I can safely say that cybersecurity is on everyone’s minds. Boards of directors and business owners of all sizes are becoming engaged in the discussion around cybersecurity. Data breaches are happening so often now that they are no longer shocking. Big names such as Facebook, Marriott, and Google+ have had their data compromised. You may think to yourself: If they can’t protect their data, with their large budgets, how can I ensure my company is protected? That’s a fair question, and my answer is a reassuring one: It is possible.

The why

First, let’s talk about why it’s important. To put it plainly, data breaches are costly. IBM’s 13th annual Cost of a Data Breach study, the industry’s gold-standard benchmark research independently conducted by Ponemon Institute, reports the global average cost of a data breach is now $3.86 million, up 6.4 percent over the previous year. The average cost for each lost or stolen record containing sensitive and confidential information is now $148, which has increased by 4.8 percent year over year. Additionally, the average price for small businesses to clean up after their businesses have been hacked stands at $690,000, and, for middle market companies, it’s over $1 million. However, that’s not the whole picture. Even after the breach is repaired and appropriate actions have been taken, what is the cost to your brand? The United States National Cyber Security Alliance found that 60 percent of small companies are unable to sustain their businesses over six months after a cyberattack.

The how

So, what should your company do? The answer is prevention, detection and response. To prevent these types of breaches, companies should review their security measures and consider the following:

Implement security awareness and training

Implement appropriate preventive tools and controls

Protect all devices connecting to the internet and wireless

Encrypt your most sensitive files

Keep software and hardware current

To detect and respond to security breaches companies need to:

Implement appropriate monitoring tools

Implement incident response procedures

Implement business continuity procedures

Here are 7 questions your organization should be able to answer readily:

1. How secure is your company’s data?

2. How do you know your data is secure?

3. What are the biggest threats to your organization’s data security?

4. What security policies and procedures are in place to prevent and respond to data leaks?

5. What are all of the endpoints on your company’s network?

6. What cybersecurity technologies do you use to protect and monitor your data?

7. How much money and resources would you lose if your company suffered a data breach?

If you know the answers to all these questions, that is a great start. If you are not sure how to answer some of these questions, you should consider working with an expert you trust to provide guidance in this complex and shifting environment. A trusted advisor can help you ensure your cybersecurity program has been adequately implemented to address and minimize your organization’s cyber risks.

You might be thinking: “Yes, I would love to do this, but our company can’t afford it.” The truth is that cybersecurity preparedness costs a small fraction of what a breach would cost. I have seen cybersecurity risk assessment engagements starting at $10,000 and going to $50,000 for large enterprises, but it very much depends on your company’s size, industry, and the project’s scope.

The bottom line

Cyberattacks are not going away. It’s quite the opposite: They will become more pervasive and sophisticated. It’s not a matter of if, but a matter of when. Once you have strong cybersecurity policy and procedures in place, it is crucial to keep updated and continually evaluate as tactics and threats evolve quickly. If your company does not have this type of expertise in-house, I recommend you find a cybersecurity advisor you trust to help you get there. Here’s to peace of mind in 2019!

Patrick Daniel is an IT Audit and Consulting Director at Moore Colson. He is responsible for enhancing IT auditing services focusing on Sarbanes-Oxley initiatives, compliance and security governance for many of Moore Colson’s major clients. He also leads many of the firm’s SOC audits and attestation engagements.